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A LETTER FROM NAI 


EXECUTIVE DIRECTOR 


Regulators have rightfully stated that industry self-regulation only works when it is backed up by 
serious compliance efforts, tough enforcement, and accountability. | agree. | joined the NAI just 
over one year ago, motivated by my belief that effective self-regulation based upon meaningful 
standards and rigorous enforcement is critical for the success of the online advertising ecosystem. 
In the year that I’ve served as Executive Director, the NAI has continued to advance this model of 
self-regulation. 


Our Code of Conduct — which has among the highest standards in the industry — prescribes notice, 
choice, use limitations, data minimization, access, security, and accountability requirements with 
respect to online behavioral advertising. Looking ahead, we intend to update our Code to ensure 
that it remains relevant in a world of rapidly evolving business models and new technologies. 


The keystone of the NAI's self-regulatory framework is our comprehensive compliance program 
that includes annual reviews, ongoing technical monitoring, sanctions procedures, and annual 
reporting. The compliance team demonstrates year-after-year that self-regulation works and 2012 
was no different. The 2012 NAI compliance review provided a meaningful assessment of evaluated 
member companies’ compliance with the NAI Code and demonstrated that member companies 
continue to take their obligations under the Code seriously. 


As this report illustrates, our efforts extend beyond strict compliance with the Code. As NAI staff 
engages with our members, they continuously recommend best practices based on lessons learned 
from examining the business activities of dozens of companies. We constantly challenge ourselves 
to think creatively about the application of fair information practice principles in our ever-changing 
digital landscape. Through these efforts, the NAI raises the bar for responsible data management 
across the entire third-party ecosystem. 


| am proud of our compliance team and of the results of this year’s annual review. | look forward to 
working with member companies to develop and implement the updated NAI Code and to help 
ensure that NAI policies remain relevant and enforceable for an increasingly diverse range 

of third-party data collection practices. 
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Marc Groman 
Executive Director, NAI 
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A LETTER FROM NAI 


The NAI is the gold standard and model for self-regulatory programs, as demonstrated by our 
thirteen-year commitment to best practices in online behavioral advertising. That commitment 

is reflected in the NAI’s Code of Conduct, a set of strict standards that govern the collection and 
use of data for online advertising. All member companies, including my own, must publicly attest 
to abide by these standards. 


What sets the NAI apart, though, is its rigorous compliance program. Companies like mine cannot 
simply “sign up” for NAl membership. To the contrary, member companies are required to annually 
renew their commitments to abide by the NAI Code and to undergo a robust review to help ensure 
that they meet their promises. While these annual reviews may require companies to expend 
significant time and resources, they are necessary to help ensure full compliance with the Code. 
The compliance team conducts careful reviews of each member company’s processes, procedures, 
and technical systems such as opt-out mechanisms. And | know from personal experience that they 
don’t conclude their reviews until they have satisfactory answers to all their questions. 


This process is not an easy one, but it makes all NAl member companies better by helping to 
ensure we are meeting the obligations of the NAI Code and providing end users with transparency 
and control. By bringing an external perspective that is informed by industry best practices, the NAI 
compliance team helps us to integrate the principles set forth in the NAI Code into our everyday 
thinking. The annual review, moreover, forces us all to take a careful look at our existing practices 
and disclosures at least annually, and thus reinforces our existing privacy-by-design reviews. 


Rob Gratchner 
NAI Board Chairman and Vice President, AudienceScience 


EXECUTIVE 
SUMMARY 


The Network Advertising Initiative (NAI) is the leading self-regulatory body governing 


“third parties” in the online advertising ecosystem. The NAI's nearly 100 member companies 
engage in or support Online Behavioral Advertising (OBA, sometimes referred to as 
Interest-Based Advertising), and include ad networks, platforms, data aggregators, ad 
exchanges, creative optimization firms, and others. These diverse companies all commit 

to self-regulatory standards that establish and reward responsible business and data 


management practices. 
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The NAI’s compliance and enforcement program includes 


pre-certification reviews, annual compliance reviews, 


ongoing technical monitoring, mechanisms for accepting 


and investigating complaints, and sanctions procedures. 


To be members, companies must abide by the 
NAI 2008 Self-Regulatory Code of Conduct (NAI 
Code or Code). The Code requires transparency 
with respect to companies’ data collection and 
use practices and choice with respect to the 
collection and use of data for OBA. The Code 
also requires consumer education efforts, limits 
the use of data collected for OBA, restricts 

the transfer of data collected for OBA to third 


parties, requires members to work with “reliable” 


data sources, and mandates reasonable security 
for the data they collect and use for OBA. Finally, 
the NAI Code disincentivises the collection of 
personally identifiable information (PII). For 
example, the Code requires a heightened level 
of choice for the use of PII and restricts the 
transfer of PII to third parties. The NAI Code also 
governs members’ collection and use of data 

for Ad Delivery and Reporting, which includes 
activities such as reporting, frequency capping, 
and attribution. 


These obligations are backed up by a rigorous 
compliance and enforcement program. This year- 
round effort helps members comply with NAI 
requirements and holds them accountable when 
they don't. Even before a company may represent 
NAI membership, it must undergo an extensive 
pre-certification review. The compliance 

team then assists members in meeting Code 
obligations through informal consultations as 
well as proactive technical monitoring of member 
companies’ opt-out mechanisms. At the same 
time, the compliance program includes formal 
review procedures designed to identify potential 
violations of the NAI Code, investigate those 
practices, and, if necessary, sanction member 
companies. In-depth annual reviews of each 
member company’s business practices are the 
foundation of the compliance program. 
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This report details NAI staff's findings with respect to the compliance of the 76 member 
companies reviewed in 2012. It also explains the improvements the NAI made to its own 
self-regulatory program over the past year. 


Effective self-regulation must constantly evolve to reflect changes in business models, 
technologies, and public policy. To this end, in its 2011 Annual Compliance Report, the 
NAI committed to strengthening its self-regulatory program in myriad ways, including: 

(1) making the NAI website more user-friendly; (2) increasing its technical monitoring of 
member companies’ opt-out mechanisms; (3) requiring member companies to regularly 
report the domains they use for OBA; and (4) adding staff to the NAI’s compliance team 
to keep pace with the NAI's growing membership. In 2012, the NAI successfully addressed 
each of these recommendations. 


As in previous years, NAI staff and evaluated member companies expended enormous 
resources on the 2012 compliance review process. In total, NAI staff conducted nearly 
one-hundred interviews and reviewed thousands of pages of documentation. Evaluated 
member companies provided extensive information and otherwise cooperated with 
NAI staff, resulting in a thorough examination of their business practices. The process 
began with a detailed questionnaire that was substantially revised in 2012 to reflect 
evolving business practices. The compliance team reviewed members’ responses to 
the questionnaire and supporting documentation, and also independently evaluated 
member companies’ business practices as described on their websites, privacy policies, 
proprietary business materials, terms of service, contracts with advertising partners, and 
marketing materials. The compliance team then interviewed high-level management 
and engineering personnel concerning their internal processes and policies for ensuring 
compliance with the Code. 


This year's annual review found that evaluated member companies take the obligations 
imposed by the NAI seriously and are, on the whole, meeting the requirements of the 
NAI Code. In early 2012, NAI member companies contributed billions of ad impressions 
to educational campaigns that lead users to important and consumer-friendly information 
that explains how data is collected and used for OBA and the choices available to them. 
In addition, member companies have continued to provide notice to users of OBA data 
collection and use practices directly in the targeted ads they serve. Given these efforts, it 
is not surprising that more than ten million users visited the NAI's education website and 
that of the Digital Advertising Alliance, an umbrella industry self-regulatory organization 
with which the NAI participates. 


The 2012 compliance review, as well as the NAI’s technical monitoring of its members opt- 
out mechanisms, demonstrated that evaluated member companies provide the opt-out 
mechanisms required by the NAI Code and that those mechanisms, on the whole, function 
as intended. Evaluated member companies have improved systems for continually 
checking the operation of their opt-out systems. These efforts by member companies, 
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coupled with the NAI’s own monitoring, help to 
ensure that users’ opt-out choices are honored. 


Evaluated member companies were also 

found to meet their obligations with respect 

to personally identifiable information (PII). As 

a result of the Code’s disincentivizing the use 

of PII, all evaluated member companies collect 
and use only data that is not PII (non-PIl) for 
OBA purposes. Evaluated member companies, 
moreover, take affirmative steps to help ensure 
that PII is not inadvertently passed to them, or, if 
it is inadvertently passed, that it is not stored or 
used for OBA purposes. Similarly, no evaluated 
member company was found to collect Sensitive 
Consumer Data for OBA purposes or to allow the 
use of data collected for OBA for purposes other 
than marketing. 


While the NAI is pleased with the work it has 
done to improve its self-regulatory program and 
the hard work of its members to comply with the 
NAI Code, the NAI constantly seeks to improve. 
To that end, in 2013, the NAI intends to update 
its Code of Conduct, to adopt guidelines to 
govern the collection and use of data on mobile 
devices, and to develop rules addressing the 
use of technologies other than standard http 
cookies. The NAI looks forward to working with 
member companies on these critical initiatives 
and to reviewing nearly 100 member companies 
in the 2013 annual compliance review. 


THE NAT'S 
SELF-REGULATORY 
MISSION 


NAI CODE 


The cornerstone of the NAI's self-regulatory framework is the NAI’s Code of Conduct (NAI 


Code or Code).' Membership in the NAI requires companies to publicly state that they 
adhere to the NAI Code. The Code, in turn, imposes transparency, notice, and choice 
obligations on members with respect to the collection and use of data for OBA, defined 
as “any process used whereby data are collected across multiple web domains owned or 
operated by different entities to categorize likely consumer interest segments for use in 
advertising online.”* The NAI Code specifically obligates member companies to provide 
notice of data collection for OBA, and to “provide and honor” choice with respect to the 
collection and use of data for OBA. The Code also requires them to educate users about 
OBA, imposes limitations on the use of data collected for OBA and the transfer of such 
data to third parties, requires members to obtain data used for OBA from reliable sources, 


and requires members to secure the data they collect. 


1 The NAI Code is available at http://www.networkadvertising.org/principles.pdf. This report summarizes the obligations imposed 
by the NAI Code, but does not fully restate all principles set forth in the Code and should not be relied upon for that purpose. 


2 The Code also imposes requirements with respect to “Ad Delivery & Reporting,” defined as “the logging of page views or the 
collection of other information about a browser for the purpose of delivering ads or providing advertising-related services.” Ad Delivery 
and Reporting includes providing an advertisement based on a browser or time of day, statistical reporting, and tracking the number of 
ads served on a particular day to a particular website. (NAI Code § II.3) 
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The cornerstone of the NAI's self-regulatory 


framework is the NAI’s Code of Conduct. 


The obligations imposed by the NAI are backed 

up by a rigorous compliance and enforcement 
program. The NAI’s compliance processes 

seek to ensure that NAl member companies 
continuously comply with the NAI Code and 

holds members accountable when they fail to do 
so. Those processes, detailed below, include: (1) 
pre-certification reviews, (2) annual compliance 
reviews, (3) ongoing technical monitoring; and 

(4) mechanisms for accepting and investigating 
complaints of non-compliance. The pre-certification 
process is designed to bring companies into 
compliance with the NAI Code before they become 
members. Once companies are members, if the 
compliance procedures uncover a material violation 
of the NAI Code, the NAI may impose sanctions, 
including referral to the NAI Board of Directors, 
suspension or revocation of NAl membership, and 
referral to the FTC or other enforcement bodies.’ 


While formal reviews and enforcement procedures 
are the heart of the NAI’s compliance program, 
the NAI’s model and philosophy extend beyond 
annual reports and the threat of sanctions. The 


compliance program is designed to help members 
stay in compliance with the NAI Code through, 

for example, informal consultation throughout 

the year. Member companies are accordingly 

able to incorporate the principles reflected in the 
NAI Code into their business practices as they 
evolve. Similarly, NAl compliance staff often advise 
member companies on proposed changes to 
privacy disclosures, helping to ensure that those 
disclosures remain relevant and consistent with 
Code requirements. 


NAI Code Obligations 
e Transparency/Education 
Notice 
Choice 
Use Limitations 


Transfer Restrictions 
Access 

Reliable Sources 
Data Security 
Accountability 


3 NAI Compliance Program Attestation Review Process, available at 


http://www.networkadvertising.org/compliance_and_enforcement_program.pdf; NAI Compliance Program Consumer Complaint 
Process, available at http://www.networkadvertising.org/consumer_complaints.pdf. 
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The NAI’s compliance and enforcement 
program includes pre-certification 
reviews, annual compliance reviews, 
ongoing technical monitoring, 
mechanisms for accepting and 
investigating complaints, and 
sanctions procedures. 


In addition, the NAI regularly engages in external 
monitoring designed to identify and rectify potential 
issues before they affect users. Through daily 
automated monitoring of member companies’ 
opt-out mechanisms, for example, the compliance 
team identifies possible glitches in member 
companies’ opt-outs. When such issues are 
identified, NAI staff helps affected companies to 
resolve them expeditiously. Similarly, the compliance 
team monitors consumer complaints and press 
concerning member companies and their partners 
to help identify potential compliance issues. 


Through these efforts, which go beyond strict Code 
compliance, the NAI seeks to improve the practices 
of all members, thereby promoting the health of the 
online advertising ecosystem as a whole. 


Pre-Certification Reviews 


While the NAI is a membership organization, 
companies may not simply “sign up” for NAI 
membership. To the contrary, in order to become 

a member of the NAI, a company must undergo a 
thorough review by NAI staff and align its practices 
with the requirements of the NAI Code. This review 
includes an extensive written questionnaire and 
multiple interviews conducted by NAI staff. Among 
other topics, the interviews and questionnaire 
address prospective members’ business models, 
data collection practices, and the types of 
technologies used for OBA-related purposes. NAI 
staff also reviews applicants’ marketing materials and 
consumer-facing privacy disclosures all before the 
company is a member of the NAI. 


Through the pre-certification process, NAI staff 
attempts to ensure that companies’ privacy 


disclosures adequately and accurately reflect the 
types of data they collect, the methods they employ 
to collect data, and their data sharing and retention 
practices. Many companies must implement 
significant revisions to their privacy disclosures in 
order to meet NAI requirements. In some cases, 
companies have altered or eliminated particular 
business practices in order to join the NAI. The 
pre-certification process also includes methodical 
testing of opt-out scripts. NAI staff tests the opt-out 
scripts to verify that companies set opt-out cookies 
with the correct parameters, and that those cookies 
are not inadvertently deleted. 


Ongoing Complaint Intake 
and Automated Monitoring 


Once members of the NAI, companies must 
abide by the NAI Code and are subject to the 
NAI compliance program. To that end, NAI staff 
evaluates members’ compliance with the NAI 
Code throughout the year. NAI staff investigates 
all allegations of non-compliance, whether raised 
by consumers, media reports, advocates, or other 
member companies. Where necessary, NAI staff 
launches investigations of member companies, 
requiring member companies to respond to staff 
inquiries and to provide documentation. As noted 
above, if any such investigation reveals a material 
violation of the NAI Code, the NAI may impose 
sanctions, including publication of the violation, 
revocation or suspension of membership, or referral 
to the Federal Trade Commission. 


In addition to monitoring complaints and media 
reports, the NAI proactively monitors the functionality 
of its members’ technology to look for evidence 

of non-compliance. Since 2009, this monitoring 

was comprised primarily of regular manual testing 

of member companies’ opt-out mechanisms. This 
testing often helped to identify potential issues 
before they affected users. Nevertheless, in its 2011 
Annual Compliance Report, NAI staff noted that it 
had uncovered isolated issues with opt outs and 
committed to increasing and formalizing its technical 
monitoring of members’ opt-out mechanisms.* 


4 NAI 2011 Annual Compliance Report, at 19-20, available at http://www.networkadvertising.org/2011_compliance_report.pdf. 
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In 2012, the NAI honored its promise, increasing and formalizing its testing of members’ opt-out 
mechanisms. The NAI built a compliance monitoring tool to help ensure that opt-out cookies 
are properly set and respected, and that locally stored objects (LSOs) are not used for OBA 
purposes. To do this, the compliance tool: (1) automates web crawls to gather data related to 
opt-out functionality and reliability; (2) analyzes crawl data for signs of opt-out malfunctions or 
potential disregard of opt-out cookies; and (3) reports aggregate results of these analyses on an 
hourly basis. NAI staff reviews these reports to help identify any member opt-out mechanisms 
that are not consistently functioning as intended. 


In its 2011 Compliance Report, NAI staff also recommended that all member companies be 
required to report the domains that they use for OBA on a regular basis.° In 2012, the NAI 
implemented this recommendation. All member companies — not only those evaluated in 2012 — 
now report the domains that they use for OBA to NAI on a quarterly basis. NAI staff uses the list 
of reported domains to build a registry that informs its technical monitoring, and cross-checks 
the registry with members’ opt-out scripts to help ensure that the opt-out mechanisms cover 
every domain used by member companies for OBA. 


Collectively, this reporting and monitoring helps the NAI to ensure that potential issues 
are addressed as early as possible. It also helps the NAI to identify any issues that require 
investigation or initiation of sanctions procedures. 


Annual Compliance Reviews 


Each year following admission to the NAI, member companies are required to renew their 
public attestations to comply with the NAI Code and to undergo a compliance review 
conducted by NAI staff. These annual reviews proactively examine NAI member companies’ 
business practices and public representations against the requirements of the NAI Code. NAI 
staff also uses the review process to educate member companies of their obligations under the 
NAI Code and to offer suggestions for aligning companies’ activities and policies with existing 
best practices that go beyond Code requirements. 


Evaluated member companies and NAI staff expend enormous resources in these reviews. 

In 2012, for example, NAI staff held nearly 100 interviews and reviewed thousands of pages 
of questionnaire responses, privacy policies, contracts, internal policies, marketing materials, 
website content, training materials, and other documents. For their part, evaluated member 
companies invested hundreds of hours in responding to a written questionnaire, participating 
in interviews, and following up with NAI staff. Though resource-intensive for both NAI staff 
and the companies evaluated, these reviews pay enormous dividends. In addition to helping 
NAI staff identity compliance issues (and ensure that they are expeditiously addressed, or 

if necessary, impose sanctions), they also help member companies to identify and address 
potential problems, help to ensure that opt-outs are functioning and present acceptable user 
experiences, provide members insight into current industry best practices, and help the NAI 
to continually evolve its official policies through a current and thorough understanding of the 
online ecosystem. 


The specific methodology and findings relative to the NAI’s 2012 annual review are set forth 
in the next section. 


5 Id. at 20. 


2012 ANNUAL 
COMPLIANCE 
REVIEW 


METHODOLOGY 


For the 2012 annual compliance review, NAI staff reviewed the 76 companies that were 
NAI members as of January 1, 2011. These 76 companies are referred to throughout 
the report as “evaluated member companies.” Those companies that joined the NAI 
in January 2012 or later were subject to review as part of the pre-certification process 
and must attest to compliance with the NAI Code, but were not assessed in the 2012 


annual review process. 
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For the 2012 annual review, NAI Staff conducted nearly 


100 interviews and reviewed thousands of pages of 


questionnaire responses, privacy policies, contracts, 


internal policies, marketing materials, website 


content, training materials, and other documents. 


Training 

The NAI'’s compliance program for 2012, as in 
previous years, began with a compliance training 
presentation. That presentation was designed 

to refresh members’ knowledge of the Code, to 
train them on new NAI policies, and to present 
best practice suggestions for going beyond the 
requirements of NAI Code and formal NAI policy. 
The presentation supplemented the training that 
NAI staff conducts on individual policy issues and 
best practices throughout the year. 


Agenda for 2012 Member Training 

e Education 
Notices (member and partner websites) 
Working with Website Publishers 


Opt Outs 

Internal Policies and Procedures 

The NAI’s Compliance Review Program 
Next Steps, Action Items 


Written Questionnaires and 
Supporting Documentation 


Following this training, evaluated member 
companies were required to engage in a 
multi-stage written evaluation and interview 
process. First, evaluated companies were 
required to provide written responses to a 
detailed questionnaire. The questionnaire, 
which was substantially revised in 2012 to 
account for evolving data collection practices 
and business models, asked members to 
describe their practices and policies relative 

to NAI Code requirements, and to provide 
supporting documentation. The topics covered 
by the questionnaire included: descriptions of 
any business practices involving the collection 
and use of data for OBA and related purposes; 
education efforts undertaken by the company; 
notice of OBA data collection practices provided 
on websites controlled by the company and on 
other websites; any means used by the company 
to identify or track users; technical descriptions 
of the company’s opt-out functionality; lists 

of cookies used (and their uses) after opt out; 
processes for data sharing and data acquisition; 
any use of PII for OBA or related purposes; 
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Evaluated Member Companies‘ 


[x+1] 

24/7 Real Media 
33Across 
Adap.tv 

Adara Media 
Adblade 
AdBrite 
Adconion 


AddThis (including 
x-Graph) 


Admeld 
Aggregate Knowledge 
Akamai 

AOL 

AppNexus 
AudienceScience 
Batanga 

Bizo 

BlueKai 
BrightRoll 

Brilig 

Burst Media 
Buysight 

Casale Media 


Chango 


Channel Intelligence 
Cognitive Match 
Collective (including Tumri) 


Core Audience 
(formerly Red Aril) 


Cox Digital Solutions 
Criteo 

Cross Pixel Media 
DataLogix 

DataXu 

Datonics 

Dedicated Networks 
Dotomi 

eXelate 

EZTarget Media 
FetchBack 


Glam Media 

Google 

|-Behavior 

IDG Tech Network 
Invite Media 
Legolas 

Lotame 

Magnetic 

Markit 

MaxPoint Interactive 
Media Innovation Group 
Media Math 
Media6éDegrees 


MediaMind 
(including Eyewonder) 


Mixpo 

Microsoft Advertising 
Netmining 
OwnerlO. 

Pulse360 

PulsePoint 
RadiumOne 

Rocket Fuel 
RichRelevance 

The Rubicon Project 
ShareThis 

Specific Media 
SteelHouse 


Targus (now Neustar 
Information Services) 


Tribal Fusion 
TruEffect 
Turn 
Undertone 


ValueClick Media 
(including Mediaplex) 


Vibrant Media 
Videology 


Yahoo! 
(including interclick) 


Yume 


6 Two companies — Adchemy and Epic Marketplace (formerly Traffic 


Marketplace) — were members of the NAI as of January 2012, but have 
since withdrawn from the NAI, and thus were not included in the annual 
review. Epic has ceased operations, and Adchemy has represented to 
the NAI that it no longer engages in online behavioral advertising. 

See http://www.adchemy.com/privacy-policies. 


data retention practices; security procedures; 
use of sensitive or potentially sensitive data; 
and mechanisms for responding to consumer 
complaints. 


The NAI compliance team reviewed every 
submission and all supporting documentation. 
The compliance team also evaluated member 
companies’ business practices, reviewing their 
websites, privacy policies and other consumer- 
facing disclosures, marketing materials, and press 
releases. In addition to these publicly available 
materials, NAI staff reviewed business proprietary 
materials supplied by members, including 
internal policies and procedures and non-public 
marketing materials, contracts, and terms of 
service. Finally, the compliance team tested 

the functionality of members’ opt-out tools, 
reviewed the websites of members’ partners for 
notice and choice disclosures, and engaged in 
automated web browsing intended to determine 
the behavior of member companies’ systems after 
setting an opt-out cookie. 


Interviews 


Following its review of member companies’ 
submissions and other materials, NAI staff 
conducted one or more interviews with 
representatives from 74 of the 76 evaluated 
member companies, primarily high-level 
management and engineering staff.’ 

The compliance team questioned these 
representatives about business and policy issues 
such as the collection and use of data for OBA 
purposes; policies governing those practices; 
contractual requirements imposed on business 
partners concerning notice, choice, and other 
protections for data collected and used for 
OBA purposes; and processes for oversight 
and enforcement of contractual requirements. 
The compliance team questioned technological 


7 Two companies provided a written response and 
supporting documentation that were so thorough that they 
addressed all of NAI staff's questions and concerns and no 
interviews were necessary. 
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representatives about data flows; opt-out functionality; data retention; all technologies 
used for OBA and related purposes; and technical measures to prevent the use of any 
PII for OBA purposes. 


During these interviews, NAI staff assessed members’ compliance with the NAI Code, 

and also suggested best practice improvements to enhance transparency, choice, and 
other protections, even where members’ practices were consistent with NAI requirements. 
For example, in some cases, NAI staff recommended making privacy disclosures more 
prominent and recommended language intended to make the disclosures more clear and 
complete. NAI staff also encouraged members to minimize the data they collect for OBA, 
particularly on health-related websites, and to limit the time for which they keep OBA data. 


After these interviews, NAI staff followed up with all member companies documenting the 
NAI's initial findings and best practice suggestions. For more than half of the evaluated 
member companies, NAI staff had further questions or concerns following the initial 
interview. NAI staff used further correspondence and calls to ensure that all outstanding 
issues were addressed and resolved to the satisfaction of NAI staff. 


Attestations 


As a final step in the annual compliance review, member companies were required to 
attest in writing to their ongoing compliance with the NAI Code and the veracity of the 
information provided in the review process. This certification is intended to supplement 
members’ public attestations, made when becoming members of the NAI, that they 
comply with the NAI Code. 


FINDINGS 


The Code requires the NAI to publish the results of its annual reviews of member 
companies, including a summary of consumer complaints and the resolution of those 
complaints. The following report sets forth the findings of NAI staff with respect to 
the compliance of the evaluated member companies with the requirements of the NAI 
Code in 2012. 


Education 


The NAI Code requires members to collectively maintain an NAI website to serve 

as a centralized portal offering explanations of OBA and access to consumer choice 
mechanisms. (§ Ill.1(a).) Members are also required to individually and collectively educate 
consumers about OBA and the choices available to them. (§ III.1(b).) In 2012, the NAI and 
its member companies continued to meet their obligations under these provisions of the 
Code, hosting and re-invigorating consumer-friendly content intended to educate users 
about OBA and the choices available to them. 


In its 2011 Compliance Report, the NAI committed to updating its website to make it easier 
for consumers to find relevant information and to opt out, and for regulators, advocates, 
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and academics to find information about the 
NAI, the requirements of the NAI Code, and 
the NAI’s compliance program. In 2012, the NAI 
followed through on this commitment. The new 
NAI website is better-organized and easier to 
digest. It clearly presents consumers with critical 
information about OBA, including a prominent 
opt-out button and extensive FAQs intended to 
help consumers understand how data is collected 
and used by NAI member companies for OBA, 
and to help them troubleshoot in the event 
they have difficulty opting out. The new site 
also details the requirements of the NAI Code 
and NAI policies, explains the NAI compliance 
program, and presents a series of Q&As about 
the NAI, its mission, and its relationship with 
other industry groups. 


As an extension of this website redesign, the 
NAI in early 2013 launched an entirely new 
consumer education page that presents new 
educational content in a clear and user-friendly 
manner.® The page seeks to convey meaningful 
information to consumers using plain language 
and creative content. It explains what OBA is 
and how it works, using real-world examples and 
images depicting common uses of OBA. It also 
describes the benefits of OBA, the AdChoices 
icon, and the roles of various players in the 
online advertising ecosystem. Finally, it explains 
the options available to users for controlling the 
collection and use of data from their browsers. 


In 2012, NAl member companies continued their 
efforts to drive traffic to the NAI’s education page 
and other educational materials. In total, NAI 
member companies donated billions of 

ad impressions to banner ads that link to the 
NAI’s consumer education web page and to 

the DAA’s educational campaign, hosted at 


8 In addition to these improvements to the content and 
layout of the NAI site, the back-end technology on which the 
website was built contains improved reporting tools that have 
supplemented and supported NAI staff's testing of members’ 
opt-out mechanisms. 
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htto://www.youradchoices.com/.? Like the NAI’s education page, the DAA's education 
page presents information about OBA and the DAA’s “AdChoices” icon through creative 
content, including videos that explain how OBA works and the choices available to users. 
As a result of the work of NAI member companies and other players in the OBA ecosystem, 
these consumer education resources saw more than ten million unique visits in 2012.'° 


Through members’ education efforts as well as the notice requirements discussed below, 
NAI member companies drive traffic to the NAI’s consumer choice page. That page 
(prominently linked from every page on the NAI'’s website) provides users with information 
about which member companies have active OBA cookies on their computers and, if 
they wish to do so, allows them to opt out of OBA by all NAl member companies in 

only two clicks. 


Notice 


The NAI Code requires member companies to provide notice of their OBA and Ad Delivery 
and Reporting Activities on their own websites, and to ensure that notice is provided on the 
websites where they collect data for such purposes. The notice must include descriptions of 
members’ OBA and Ad Delivery and Reporting activities, the data collected and how such 
data will be used and transferred, any merger of PII and non-Pll, a data retention statement, 
and a link to an opt-out mechanism. (§ III.2(a).) 


Users can opt out of OBA by all NAl member companies in only two clicks 


suc? What dodo if | havea problem 
opting out? 


> Learn more about how OBA works 
n > Protect My Choices 
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9 The DAA is a coalition of industry associations, including, in addition to the NAI, the AAAA (4A‘s), the AAF (American Advertising 
Federation), the ANA (Association of National Advertisers), the DMA (Direct Marketing Association), and the IAB (Interactive 
Advertising Bureau), with support from the Council for the Better Business Bureaus. Those associations have adopted a set of principles 
that, like the NAI Code, impose transparency and choice obligations on participating member companies engaged in online behavioral 
advertising. See Self-Regulatory Principles for Online Behavioral Advertising, available at http://www.aboutads.info/obaprinciples. In 
2011, NAI members were required to begin providing their opt outs on the DAA’s opt-out page in addition to the NAI’s. 


10 See, e.g. http://www.aboutads.info/blog/teaching-consumers-about-interest-based-ads-their-opt-out-choices. 


NAI members continue to 
lead industry efforts to 
provide notice to users 
in and around the ads 
they see using the DAA’s 
Advertising Options Icon. 
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As detailed above, most companies make 
substantial revisions to their privacy policies in 

order to qualify for membership in the NAI. During 
the annual review process, NAI staff reviews each 
company’s privacy policy to help ensure that the 
disclosures match the company’s current practices. 
NAI staff also offers suggestions where applicable to 
make those disclosures more clear, conspicuous, and 
consistent with industry best practices. As a result of 
these review processes and members’ commitment 
to provide transparency for their practices, NAI staff 
found that evaluated members’ privacy policies not 
only meet the requirements of the NAI Code, but 
many have become increasingly easy to find and to 
understand over the past three years. 


Because the vast majority of NAl member 
companies do not have direct relationships with 
Internet users, the NAI Code requires that, in 
addition to providing notice in their own privacy 
policies, members take measures to ensure that 
the websites where they collect data also provide 
notice of data collection for OBA purposes. 


Specifically, the NAI Code requires members to 
contractually require that the sites where they 
collect data for OBA purposes provide notice of 
such data collection as well as a link to an opt-out 
mechanism, and to take reasonable steps to 
enforce such contractual requirements. This year’s 
annual review confirmed that members continue 
to take these obligations seriously, and that they 
impose and enforce contractual notice obligations 
on their partners. 


In addition, NAl members continue to lead 
industry efforts to provide notice to users in and 
around the ads they see. NAl members serve the 
DAA’s “Advertising Options Icon” trillions of times 
per month. That icon, which provides “just in 
time” notice, offers consumers yet another means 
by which they can be informed of OBA and the 
choices available to them." 


Health Transparency 


In early 2011, the NAI adopted a “health 
transparency policy.” That policy requires 
member companies to disclose any “standard 
interest segments” that are based on health- 
related information. This policy is intended to 
capture those interest segments for which Opt-In 
Consent is not required under the Code,"? but 
nevertheless relate to the human body and may 
factor into an individual's decision about whether 
to opt out of targeting by a particular member 
company. Thus, for example, member companies 
may have interest segments associated with 
general health categories such as headaches, 
allergies, or diet and fitness that would not 
require Opt-In Consent under the NAI Code, 

but would require disclosure under the 
transparency policy. 


11 Though enhanced notice is not a requirement of the current NAI Code, the NAI's revised draft code of conduct would require 
members to provide, and to support the provision of, notice in or around interest-based ads. 


12 The NAI Code requires Opt-In Consent for the collection and use of “Sensitive Consumer Data,” which is defined to include 
“precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, 
and family medical history.” Thus, for example, if an NAl member company were to seek to market to users on the basis of sensitive 
health conditions such as any type of cancer, mental health-related conditions, or sexually transmitted diseases, the company would 
need to clearly explain that intent and to obtain Opt-In Consent for such use. No NAI member companies currently target users on the 


basis of such segments. 
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The NAI believes that, from industry's perspective, 
this additional layer of transparency for health- 
related segments promotes compliance with NAI 
Code requirements, and also helps to normalize 
best practices by all participants in the online 
advertising marketplace. From a consumer's 
perspective, the additional transparency 
enhances confidence that sensitive health-related 
information is not collected and used without 
their knowledge and consent. It also supports 
more educated decisions about whether to 

opt out of the collection of data for behavioral 
advertising purposes by some or all NAI 

member companies. 


As promised in the NAI's 2011 Annual 
Compliance Report, the NAI began fully 
enforcing the health transparency policy in 
2012. To accomplish this, NAI staff questioned 
member companies about their standard interest 
segments and ensured that any such segments 
related to the human body were disclosed on 
members’ websites. These disclosures take a 
variety of formats: some companies disclose all 
standard interest segments available to their 
partners, whether or not the segments are 
related to health topics. Other companies list 
all health-related segments on pages linked 
from their privacy policies. Still other companies 
provide common examples of health-related 
targeting that they may allow.'? Disclosed 
health-related interest segments include 
categories such as “healthy living,” “fitness 
allergies,” 
heartburn,” and 
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and exercise,” “cold and flu, 
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“headaches,” “vision, 


“alternative medicine.” 
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Choice: Opt-Out Consent 


NAI member companies are required to provide 
and honor choice for the collection and use 

of data for OBA purposes. The level of choice 
required by the NAI Code depends on the 
intended use of the data. (§ III.3(a).) With respect 
to the use of non-Pll, member companies are 
required to provide and honor an opt-out 
mechanism." As described above, the NAI 
website serves as a centralized repository for 
members’ opt-out mechanisms. The NAI Code 
also requires members to provide a means by 
which users can opt out of OBA on their 

own websites. 


This year's automated testing and annual review 
confirmed that all member companies provide 
the opt-out mechanisms required by the NAI 
Code. As with notice, member companies have 
continued to make these disclosures easier to 
locate such as through prominent “opt-out” 
buttons at the top of their websites or links to 
their opt-out pages from the footer of every page 
on their websites. The review also demonstrated 
that members’ opt-out mechanisms continue to 
work reliably and as intended. 


Evaluated member companies 
affirmed that they do not use any 


technologies other than standard 
cookies for OBA purposes. 


13 any member companies do not employ “standard” interest segments at all, but rather engage only in practices such as 
retargeting, search retargeting, and custom segmentation. In such cases, NAI staff recommended as a best practice that the companies 


add disclosures to their privacy policies providing sample health-related interest segments and noting that they do not target users 


based on sensitive health-related interests. 


14 The NAI Code requires member companies to provide an opt-out mechanism, together with robust notice, for the use of PII to be 
merged with non-Pll on a going-forward basis (prospective merger). Members are also required to obtain Opt-In Consent for the use of 


previously collected PII to be merged with non-PIl (retrospective merger). As addressed below, no evaluated member companies currently 
use PII for OBA. As a result, this report addresses the provision and honoring of opt-out choices for the use of non-Pll for OBA only. 
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Automated Testing 


As detailed above, in 2012, the NAI increased and 
formalized its technical monitoring of member 
companies. This testing runs multiple times per 
day and sends automated reports to NAI staff. 
The testing flags potential issues with members’ 
opt-out mechanisms, including the inability to 
set an opt-out cookie or inadvertent deletion 

of opt-out cookies. This automated testing 
confirmed that, on the whole, members’ opt- 
out tools work as intended and with minimal 
downtime. The automated monitoring did, 
however, allow the NAI to discover a number 

of possible issues, nearly every one of which 
was resolved within 24 hours. 


Annual Review of Opt-Out Mechanisms 


For those companies evaluated in 2012, NAI staff 
supplemented its new ongoing automated testing 
by asking evaluated companies extensive and 
detailed questions about the functioning of their 
opt-out mechanisms, requiring them, for example, 
to list the name, value, domain, and purpose of 
every cookie they continue to set following an opt 
out. NAI staff also manually tested the opt out 

of each evaluated company. Staff reviewed the 
behavior of the opt-out scripts, the lifespan of the 
opt-out cookie, names and values of all opt-out 
cookies and of any potentially unique cookies that 
were used after an opt out, and the messaging to 
consumers following successful and unsuccessful 
opt-out attempts. 


The manual testing, in conjunction with 
members’ responses to the compliance review 
questionnaire, demonstrated that evaluated 
member companies’ opt-out mechanisms appear 
to function as intended. Each evaluated member 
company affirmed that its opt-out mechanism 
prevents the collection and use of data for OBA, 
and many companies reported that they cease 


collecting any data following an opt out. All 
evaluated member companies set opt-out cookies 
with a lifespan of at least five-years, as required 
by NAI policy. All evaluated member companies’ 
opt-outs also appeared to include functioning 
P3P information, increasing the likelihood of 
proper functionality across a wide range of 
browser settings. NAI staff, did, however, identify 
one instance of a company conducting OBA on 

a domain that was not included in its opt out.'® 
While the affected company promptly addressed 
this issue, the NAI intends to more strictly enforce 
its domain reporting requirement and increase 

its technical monitoring of member companies 

to crawl additional sites in 2013 to help prevent 
similar issues from recurring. 


During the annual review, NAI staff also 
conducted manual testing designed to help 
ensure that evaluated member companies do not 
continue to collect data for OBA purposes where 
an opt-out cookie is present. To do this, NAI 

staff noted any cookies with potentially unique 
identifiers used following an opt out. In all cases, 
NAI staff inquired about the use of such cookies, 
and sought assurance that the cookies were not 
used for OBA purposes. All evaluated member 
companies that continue to set cookies with 
unique identifiers explained that the cookies were 
used for non-OBA purposes such as analytics, 
frequency capping, and attribution. 


The annual review found no 
evaluated member company 


using Sensitive Consumer 
Data for OBA purposes. 


15 This company began using a new domain for OBA, and promptly updated the opt-out mechanism on its own site to reflect that 


change. The company failed, however, to report the new domain to the NAI as required by the NAI’s new domain registry require- 
ment or to update the opt out available on the NAI website. As soon as NAI staff identified this error, the affected member company 
promptly updated its opt-out mechanism to cover all domains used for OBA. 
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Technologies Used for OBA 


NAI policy currently prohibits the use of locally 
stored objects (LSOs) as well as browser cache 
for OBA and Ad Delivery and Reporting 
purposes. NAI staff employs various means to 
check for member companies’ adherence to 
this policy. The NAI's technical monitoring tool 
provides robust data sets that the staff then 
uses to look for any LSOs set by member 
companies, as well as any evidence of a unique 
identifier in a targeting cookie “respawning” 
after such cookie is deleted. During the 2012 
annual review, NAI staff did additional manual 
testing to help ensure that LSOs are not used 
for OBA purposes. NAI staff also asked 
companies about their use of any technologies 
other than standard http cookies (including 
Flash cookies, cache files, e-tags, or history 
sniffing) for OBA purposes. All evaluated 
member companies affirmed that they do not 
use any technology other than standard http 
cookies for OBA or Ad Delivery and Reporting 
purposes, and the NAI's testing uncovered no 
evidence of member companies using alternate 
technologies for OBA or Ad Delivery and 
Reporting purposes." 


Opt-In Consent 


Under the NAI Code, member companies are 
required to obtain Opt-In Consent under two 
circumstances. The use of “Sensitive Consumer 
Information,"'’ requires the provision of Opt-In 
Consent. (§§ III.3(a)(iv), 11.8.) The merger of 

PII with previously collected non-Pll for OBA 
purposes also requires Opt-In Consent. 


(§ III.3(a)(ili).) 


NAI testing and member 
responses to questioning 
demonstrated that 
evaluated member 
companies’ opt-out 
mechanisms work 

as intended. 


NAI staff found no evaluated member companies 


using or seeking to use Sensitive Consumer 
Data as defined by the NAI Code for OBA 
purposes. The compliance review demonstrated 
that evaluated member companies have a 
uniformly high awareness of the sensitivity of 
this data, and have protections in place to 
ensure that sensitive data is not used for OBA. 
Similarly, as detailed below, no evaluated 
member company was found to merge PII with 
non-PIl for OBA purposes. Accordingly, no 

NAI member company is currently seeking to 
obtain Opt-In Consent under the NAI Code. As 
explained above,'® some member companies 
do target users on the basis of general interest 
in health-related subjects, such as “cold and 
allergies.” Such segments do not require 
Opt-In Consent under the NAI Code, but do 
require disclosure under the NAI’s new health 
transparency policy. 


16 The NAI Code and this NAI policy do not currently cover mobile devices or mobile companies. As a result, NAI staff's review and 


testing was limited to desktop devices. 


17 “Sensitive Consumer Data” is defined to include “Social Security Numbers or other government-issued identifiers, insurance plan 


and financial account numbers, information that describes the real-time geographic location of an individual, and precise information 
about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history,” 


18 See supra page 18. 
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No evaluated member company 
intentionally collects Pll for OBA 
purposes. Evaluated member 
companies have implemented 
contractual measures to help 
prevent the collection of PII and 
technical measures to help ensure 
that inadvertently-received PII 
is not stored or used for OBA 
purposes. 


inadvertently collected is immediately discarded 
and is not stored or used for OBA purposes. 


Children 


The NAI Code goes beyond the requirements 
of the existing COPPA Rule to require verifiable 
parental consent for the use of non-Pll, such as 
unique identifiers stored in cookies, used 


to create segments targeted at children 
under 13. (§ III.4(a).) 


No evaluated member company was found to 
create segments specifically targeting children 
under thirteen, and NAI staff’s review accordingly 
revealed no compliance deficiency with respect 
to this provision of the Code. Evaluated member 


Personally Identifiable Information (PII) 


companies are aware of the sensitivity of data 


The NAI Code is designed to encourage data 
minimization by incentivizing member companies 
to not use PII for OBA purposes.'? The most 
notable of these incentives is the heightened 
notice and choice requirements that apply to 

the use of PII to be merged with non-PIl for 

OBA purposes. As a result of the disincentives 
imposed by the NAI Code to collect or use 

PII for OBA purposes, no evaluated member 
company intentionally collects PII for OBA 
purposes. NAI members, moreover, set up 
robust mechanisms to help ensure that they 

do not collect PII for OBA purposes. Evaluated 
member companies generally impose contractual 
restrictions forbidding their data providers 

from passing PII to them. Because PII can be 
passed to NAI member companies inadvertently, 
however, member companies reinforce these 
contractual requirements through technical 
controls. Evaluated member companies generally 
design their systems to ensure that any PII that is 


related to children, and have processes and 
procedures in place to ensure that segments 
specifically targeted at children under thirteen 
are not created or used. The NAI is working 

to educate its member companies about the 
requirements of the FTC's new COPPA rules as 
they apply to the collection and use of non-PIl 
such as cookie identifiers and IP addresses for 
OBA purpose. 


Evaluated NAI Member 
Companies do not use, or 


allow use of, data collected 
for OBA purposes other than 
for marketing. 


19 The Code also forbids member companies from collecting PII for OBA purposes in the absence of a contractual relationship with 
the company (§ III.4(c)); provides that if a member changes its own privacy policy with regard to PII and merger with non-Pll for OBA 
purposes, prior notice must be posted on the member's website, and any material change shall only apply to data collected following 
the change in policy (§ IIl.4(d)); specifies that if data is collected under a privacy policy that states that data would never be merged with 
PII, such data may not be later merged with PII in the absence of Opt-In Consent from the consumer (§ III.4(e)); requires members to 
contractually require any third parties to which they provide PII for OBA or Multi-Site Advertising to adhere to applicable provisions of 
the NAI Code (§ III.5(a)); and requires members to provide consumers with reasonable access to PII and other information associated 
with that PII retained by the member for OBA or Multi-Site Advertising purposes (§ III.6(a)). 
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Marketing Purposes 


The NAI Code forbids member companies from using, or allowing the use of, data collected 
for OBA for purposes such as employment, credit, and insurance eligibility. Specifically, the 
Code forbids member companies from using, or allowing the use of, OBA segments other 
than for “Marketing Purposes.” (§ III.4(b).)?° No evaluated member company was found to 
use, or allow the use of, OBA data for any purposes other than marketing as defined by the 
NAI Code. Evaluated member companies report having contractual provisions and other 
processes in place to limit the use of data to marketing-related purposes only. NAI staff's 
review revealed no compliance deficiency with respect to the prohibition on using, or 
allowing the use of, data collected for OBA other than for marketing purposes. 


Data Retention, Security, and Transfer Restrictions 


In addition to the host of requirements imposed by the NAI Code with the respect to 

the collection and use of PII for OBA and Ad Delivery and Reporting purposes, the NAI 

Code imposes requirements designed to ensure that even non-PIl is collected and stored 
appropriately. Specifically, the Code requires that member companies retain data only as long 
as necessary for a legitimate business purpose (§ III.9), that they secure data appropriately 

((§ III.8), that they obtain data from reliable sources and that when they transfer data to be 
merged with PII for OBA purposes, they ensure that the receiving party adhere to applicable 
provisions of the Code (8§ III.7, 111.5(b).). 


The 2012 annual review found that evaluated member companies are meeting their 
obligations to appropriately protect non-Pll consistent with the NAI Code. Evaluated member 
companies report conducting appropriate due diligence on data sources to help ensure that 
such sources are “reliable.” This due diligence includes reviews of potential partners’ privacy 
policies and methods by which they obtain any necessary consents. It also includes reviews of 
potential partners’ business practices, particularly of companies that collect data using new 
technologies and of companies that are not themselves members of the NAI. 


Evaluated member companies also report, and provided sample documentation demonstrating, 
that they employ contractual measures to prevent companies to which they transfer non-PII 

for OBA purposes from merging such data with non-PIl. Finally, evaluated member companies 
report retaining data only for so long as necessary to meet a legitimate need (and consistent with 
their publicly-stated retention periods), and providing reasonable security for such data. 


Consumer Communications 


NAI members are required to maintain a centralized mechanism linked to the NAI website to 
receive consumer questions or complaints relating to members’ compliance with the Code. 

(§ IV.2(a).) NAI members also are required to respond to and make reasonable efforts to resolve 
questions implicating their compliance with the NAI Code within a reasonable period of time. 
(§ IV.2(b).) The NAI is required to “produce an annual summary of the nature and number of 


20 “Marketing Purposes” is defined in the NAI Code as “any activity undertaken to collect, aggregate, analyze, 
maintain, update, or sell information in order to tailor content or services that allows or induces consumers to take 
action to purchase, rent, or exchange products, property or services, to solicit a charitable donation, to utilize market 
research or market surveys, or to provide verification services to marketers.” (§ II.9) 
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consumer complaints received, the nature and number of complaints that were escalated 
to membership and the nature and number of matters referred to the Board, specifying the 
name of companies, if any, that were sanctioned for failure to remedy compliance defects.””' 
Consistent with these Code requirements, the NAI website contains a form that allows consumers 
to submit questions or complaints relating to members’ compliance with the NAI Code. As part 
of the 2012 annual review, NAI staff ensured that all evaluated member companies also provide 
mechanisms for consumer complaints or questions on their own websites. 


In 2012, the NAI improved its intake and response methods for handling consumer 
complaints to help ensure that they are addressed in a timely and meaningful manner. 

The new NAI website discussed above employs form technology that sorts and routes 
consumer comments, questions, and complaints directly to relevant NAI staff. Using this 
new technology, NAI staff have reduced the average time required to respond to consumer 
questions and complaints by 50%. 


As in previous years, the NAI processed thousands of consumer inquiries in 2012. Also as 

in previous years, the vast majority of these communications pertained to issues outside of 
the scope of the NAI’s mission. Of those that did pertain to the NAI's mission, most were 
consumers requesting assistance in opting out. In addition to helping consumers opt out, 
NAI staff monitors consumer communications to help identify possible technical issues with 
member companies’ opt outs or with the NAI opt-out page, and any potential compliance 
issues. In this way, consumer communications supplement the NAI’s own opt-out testing. 


In 2012, the NAI received thirty-seven communications raising issues of potential material 
non-compliance with the NAI Code. NAI staff found, upon further investigation, that 
twenty-nine of those communications did not raise compliance issues. In the remaining eight 
cases, NAI staff followed up with the affected member companies. In each case, the affected 
company promptly addressed the issue. No consumer communications presented complaints 
of noncompliance with the NAI Code that required formal escalation to individual member 
companies or to the NAI Board. NAI staff believes that all complaints raised by consumers in 
2012 that are conducive to resolution have been resolved. 


CONCLUSION 


The 2012 annual review demonstrated that evaluated member companies are highly 
committed to the NAI’s self-regulatory framework. As in prior years, representatives of the 
vast majority of evaluated members expressed commitment to, and a desire to learn from, 
the compliance process, and were anxious for further guidance from the NAI on how to best 
align their business practices with the NAI Code and industry best practices. With very few 
exceptions, evaluated member companies promptly implemented suggested changes in 
practice. NAI staff looks forward to continuing to work with member companies in 2013 to 
further develop best practices for the collection and use of data for OBA and to help member 
companies bring their practices into alignment with the revised Code of Conduct. 


21 See NAI Compliance Program Complaint Process, supra note 3, at 2. 
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